FixMyCloud
Start free
← Back to blog
☁️
AWS Security
AWS Security

AWS RDS Security Checklist: 17 Essential Controls for 2024

13 May 2026·5 min read·FixMyCloud Team

Why AWS RDS Security Matters

Database breaches cost organizations an average of $4.88 million according to IBM's 2023 Data Breach Report. AWS RDS manages the underlying infrastructure, but database security remains a shared responsibility. You're responsible for network access controls, encryption, monitoring, and configuration hardening.

This checklist covers 17 essential AWS RDS security controls that security engineers implement to protect production databases. Each item includes specific commands and configuration examples.

Network Security Controls

1. Configure VPC and Subnets Properly

Never deploy RDS instances in public subnets. Always use private subnets within a VPC.

aws rds create-db-instance \
  --db-instance-identifier mydb-prod \
  --db-instance-class db.r6g.large \
  --engine mysql \
  --master-username admin \
  --master-user-password mypassword \
  --vpc-security-group-ids sg-0123456789abcdef0 \
  --db-subnet-group-name private-db-subnet-group \
  --no-publicly-accessible

2. Implement Security Group Rules

Restrict database access to specific application servers or IP ranges. Avoid 0.0.0.0/0.

# Allow access only from application security group
aws ec2 authorize-security-group-ingress \
  --group-id sg-db123456 \
  --protocol tcp \
  --port 3306 \
  --source-group sg-app123456

# Allow access from specific IP range
aws ec2 authorize-security-group-ingress \
  --group-id sg-db123456 \
  --protocol tcp \
  --port 3306 \
  --cidr 10.0.1.0/24

3. Disable Public Accessibility

Ensure your RDS instance isn't accessible from the internet:

# Check public accessibility status
aws rds describe-db-instances \
  --db-instance-identifier mydb-prod \
  --query 'DBInstances[0].PubliclyAccessible'

# Disable public access
aws rds modify-db-instance \
  --db-instance-identifier mydb-prod \
  --no-publicly-accessible \
  --apply-immediately

Encryption and Data Protection

4. Enable Encryption at Rest

Enable encryption during instance creation (cannot be enabled after creation):

aws rds create-db-instance \
  --db-instance-identifier mydb-prod \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 \
  # ... other parameters

5. Enable Encryption in Transit

Force SSL/TLS connections by setting the appropriate database parameter:

For MySQL/MariaDB:

aws rds create-db-parameter-group \
  --db-parameter-group-name mysql-ssl-required \
  --db-parameter-group-family mysql8.0 \
  --description "MySQL with SSL required"

aws rds modify-db-parameter-group \
  --db-parameter-group-name mysql-ssl-required \
  --parameters "ParameterName=require_secure_transport,ParameterValue=1,ApplyMethod=immediate"

For PostgreSQL:

aws rds modify-db-parameter-group \
  --db-parameter-group-name postgres-ssl-required \
  --parameters "ParameterName=ssl,ParameterValue=1,ApplyMethod=pending-reboot"

6. Manage KMS Keys Properly

Use customer-managed KMS keys for better control over encryption:

# Create dedicated KMS key for RDS
aws kms create-key \
  --description "RDS encryption key for production databases" \
  --key-usage ENCRYPT_DECRYPT

# Create key alias
aws kms create-alias \
  --alias-name alias/rds-prod-key \
  --target-key-id 12345678-1234-1234-1234-123456789012

Access Control and Authentication

7. Implement IAM Database Authentication

Enable IAM database authentication for temporary, token-based access:

# Enable IAM database authentication
aws rds modify-db-instance \
  --db-instance-identifier mydb-prod \
  --enable-iam-database-authentication \
  --apply-immediately

Create IAM policy for database access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:us-east-1:123456789012:dbuser:mydb-prod/app-user"
      ]
    }
  ]
}

8. Use Secrets Manager for Credentials

Store database credentials in AWS Secrets Manager instead of hardcoding them:

# Create secret for RDS credentials
aws secretsmanager create-secret \
  --name prod/myapp/db \
  --description "Production database credentials" \
  --secret-string '{"username":"admin","password":"SecureP@ssw0rd123"}'

# Retrieve credentials in application
aws secretsmanager get-secret-value \
  --secret-id prod/myapp/db \
  --query SecretString --output text

9. Configure Strong Master User Credentials

Use strong, unique passwords and rotate them regularly:

  • Minimum 12 characters
  • Include uppercase, lowercase, numbers, and symbols
  • Avoid dictionary words
  • Rotate every 90 days

Backup and Recovery Security

10. Configure Automated Backups

Enable automated backups with appropriate retention:

aws rds modify-db-instance \
  --db-instance-identifier mydb-prod \
  --backup-retention-period 7 \
  --preferred-backup-window "03:00-04:00" \
  --apply-immediately

11. Encrypt Backup Snapshots

Ensure snapshots are encrypted (automatic if source DB is encrypted):

# Check snapshot encryption status
aws rds describe-db-snapshots \
  --db-instance-identifier mydb-prod \
  --query 'DBSnapshots[*].[DBSnapshotIdentifier,Encrypted]'

# Create encrypted manual snapshot
aws rds create-db-snapshot \
  --db-instance-identifier mydb-prod \
  --db-snapshot-identifier mydb-prod-manual-encrypted-2024

12. Control Cross-Region Backup Access

When copying snapshots across regions, maintain encryption:

aws rds copy-db-snapshot \
  --source-db-snapshot-identifier arn:aws:rds:us-east-1:123456789012:snapshot:mydb-prod-snapshot \
  --target-db-snapshot-identifier mydb-prod-dr-snapshot \
  --kms-key-id arn:aws:kms:us-west-2:123456789012:key/87654321-4321-4321-4321-210987654321 \
  --region us-west-2

Monitoring and Auditing

13. Enable Performance Insights

Monitor database performance and identify potential security issues:

aws rds modify-db-instance \
  --db-instance-identifier mydb-prod \
  --enable-performance-insights \
  --performance-insights-retention-period 731 \
  --performance-insights-kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

14. Configure Database Activity Streams

For real-time monitoring of database activity:

aws rds start-activity-stream \
  --resource-arn arn:aws:rds:us-east-1:123456789012:db:mydb-prod \
  --mode async \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --kinesis-stream-name rds-activity-stream

15. Set Up CloudWatch Alarms

Monitor critical security metrics:

# Failed connection attempts
aws cloudwatch put-metric-alarm \
  --alarm-name "RDS-Failed-Connections" \
  --alarm-description "High number of failed database connections" \
  --metric-name DatabaseConnections \
  --namespace AWS/RDS \
  --statistic Sum \
  --period 300 \
  --threshold 50 \
  --comparison-operator GreaterThanThreshold \
  --dimensions Name=DBInstanceIdentifier,Value=mydb-prod

Compliance and Governance

16. Enable AWS Config Rules

Implement continuous compliance monitoring:

aws configservice put-config-rule \
  --config-rule '{
    "ConfigRuleName": "rds-storage-encrypted",
    "Source": {
      "Owner": "AWS",
      "SourceIdentifier": "RDS_STORAGE_ENCRYPTED"
    }
  }'

17. Tag Resources for Security Governance

Implement consistent tagging for security tracking:

aws rds add-tags-to-resource \
  --resource-name arn:aws:rds:us-east-1:123456789012:db:mydb-prod \
  --tags Key=Environment,Value=Production \
         Key=Owner,Value=TeamAlpha \
         Key=Compliance,Value=SOC2 \
         Key=DataClassification,Value=Confidential

Automated Security Scanning

Managing these 17 AWS RDS security controls manually across multiple databases becomes complex quickly. FixMyCloud automatically scans your RDS instances for these security misconfigurations, providing:

  • Real-time compliance monitoring across all AWS regions
  • Automated detection of unencrypted instances, public accessibility, and weak security groups
  • Integration with your CI/CD pipeline for continuous security validation
  • Detailed remediation guidance with specific AWS CLI commands

Implementation Priority

Implement these controls in order of risk:

Critical (Implement First):

  • Disable public accessibility
  • Enable encryption at rest and in transit
  • Configure restrictive security groups
  • Use strong master credentials

High Priority:

  • Enable automated backups
  • Implement IAM database authentication
  • Set up monitoring and alerting

Medium Priority:

  • Configure database activity streams
  • Implement compliance monitoring
  • Optimize backup encryption and retention

AWS RDS security requires ongoing attention. Use this checklist as your foundation, but remember that security is not a one-time configuration—it requires continuous monitoring, regular updates, and adaptation to new threats.

#aws#rds#database

Scan your AWS environment automatically

FixMyCloud runs 241 AWS security checks across IAM, S3, EC2, RDS, CloudTrail, VPC and more — mapped to CIS, NIST, PCI DSS, and HIPAA.

Start a free scan →
← Back to all posts